The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
As we discussed not so long ago, short URL services are becoming more and more popular among social networks. And the recent event when such a service got compromised highlighted the sensitivity of the problem.
We decided to take a look at just how popular each of these URL shortening services are on Twitter. So we’ve collected all the URLs from the public timeline and thought it would be nice to share the results with the world. The stats are based on data collected during a 24 hour period.
As you can see, more than half of the URLs posted on Twitter belong to bit.ly, making it the winning service with 53.75%. Tinyurl.com is in 2nd place, but with only 7.55%, there's a big gap between this and 1st place. Twitpic.com accounts for 4.70% of all URLs tweeted, but as it isn't actually a URL shortening service, just an image hosting website for Twitter users, we can't in all good conscience count it among the top ranked services. So is.gd is the last in the top 3 – with just 1.73%.
What’s really worth noticing is that more than half of the URLs being tweeted every day are hosted by a single service, bit.ly. But with great power comes great responsibility - if this service got compromised, that would mean more than half of the URLs circulating every day on Twitter would be compromised.
As I have security in mind all the time, I would be a lot happier to see a more even spread across URL shortening services without such a clear leader.
Today data from more than 40,000 VKontakte accounts (the Russian equivalent of Facebook) was put up on a hacker site. We know that the site (83.133.120.252) is a phishing site, and our personal products block attempts to access the site.
Trojan.Win32.VkHost.an (which we added detection for on 28th July) spreads via the VKontakte app (hxxp://vkontakte.ru/app711384?&m=2, currently blocked by VKontakte admins). Once installed, this Trojan modifies the hosts file:
If your machine is infected and you try and open either of the sites, the browser gets redirected to a phishing page which requests login credentials. The login and password get sent to the database at 83.133.120.252. (The Odnoklassniki database was empty at the time of writing, so it's still a bit too early to say if Odnoklassniki user data has been compromised.)
Enter your details on the phishing page, and you get redirected to a new page which shows a warning in Russian. Here's the translation:
WARNING! Your account has been identified by the system as potentially dangerous. Spam mailings are being conducted from your IP address. The account is recognized as being fake, created by malicious users in order to conduct spam mailings, and will be deleted 24 hours after this notification has been read if the account details are not verified.
If the account is genuine, it needs to be verified.
Send an SMS reading orderit30913 (no spaces) to 6008. You will receive an activation code in the response SMS.
The SMS will be charged in accordance with your service provider's plan.
It looks as though if you send an SMS you do get some sort of code in return, as the site has a page with this message:
Code accepted! Download and launch file - Download
The link leads to a file called access.exe, which restores the original hosts files. (127.0.0.1 localhost).
If you just enter a random code, you get this message:
You've entered an incorrect code. Go back and enter the code from the SMS!
If you've got a VKontakte or Odnoklassniki account, check your hosts file (%windir%\system32\drivers\etc) and if you find links to vkontakte.ru and odnoklassniki.ru, delete them. You should also change all your passwords to all social networking accounts; if you end up on a phishing page like the one above, don't enter your details; and last but not least, don't send an SMS. This is yet another attempt by the bad guys to make a bit of money on the side using short, premium pay numbers.
Finally, if you think your account data might have been compromised, you can check via our Russian-language blog on the subject.
Recently, vulnerabilities in Adobe products have come to pose a major threat, and the number of infections which they cause overtook those resulting from vulnerabilities in Windows or Internet Explorer long ago.
The latest zero-day vulnerability was identified yesterday and grabbed the attention of AV researchers right way, with PDF files with a marked Chinese connection appearing in the wild.
One of these files was called “Cao Chang-Ching The CPP made eight mistang Urumuqi incident_mm.pdf”. The events of the past few days in the Chinese town of Urumqui, where local residents clashed with police, made the news around the world, so it’s no surprise to see this topic being used to spread malicious programs. The files didn’t contain the traditional JavaScript exploit, which had been the case with previous PDF vulnerabilities. However, when the PDF file is opened two files called temp.exe and suchost.exe appear in the system: clearly there’s some sort of exploit at work here, and one which will work even on the most recent, patched version of Adobe Reader.
More detailed analysis showed that an SWF object – a flash clip – was inserted into the PDF file. Flash clips are also products of the Adobe company and are watched with Adobe Flash. .
The vulnerability which had been identified was actually in Adobe Flash Player version 9 and 10, and not in Adobe Reader! This is what initially confused researchers analysing the PDF files and their format. The vulnerability uses heap spray and be exploited both when a specially crafted PDF file is opened and when sites are visited.
There’s indirect evidence which leads us to believe that this variant of the exploit was created at the beginning of July (either the 2nd or the 9th) and has probably already been used in a number of targeted attacks.
The samples we analysed install two malicious programs: Trojan.Win32.PowerPointer (modifications .h and .i) and Trojan-Downloader.Win32.Agent (modifications cjll and cjoc).
Prior to detection being added to our databases, these were still proactively detected using heuristic technologies as HEUR:Trojan.Generic.
Detection for the malicious PDF files was added to our antivirus databases yesterday evening as Exploit.SWF.Agent.br and .bs.
Adobe has officially confirmed the existence of the zero-day vulnerability and has promised to release a patch by July 30th.
However, as the promised release is a week away, we recommend you disable the use of Flash in Acrobat Reader and embedded objects in the browser.
In Adobe Reader, go to Edit > Preferences Settings >Multimedia Trust -> Permission for Adobe Flash Player -> in Adobe Reader and choose “Never” or “Prompt”:
In addition to Trojans and Worms, Twitter seems to also be a good platform for distributing rogue security solutions. The latest example of this is a program called "MalwareRemovalBot" which we detect as "not-a-virus:FraudTool.Win32.MalwareRomovalBot.e".
The link in the tweets leads to the 'vendor' site - and nearly every link here leads to the download.
The downloaded filename varies - "setup.exe", "setupxv.exe" or "setup-trial.exe". It's a UPX-compressed Windows PE-executable.
Once the program's installed
and a scan's been run, the program may report fake spyware infections to scare the user and get him to "register".
The registration website leads to the shop where a "special offer" is waiting for the potential customer.
A license for a single PC costs as much as the 3 PC license - $39.95 plus two 'extra' technologies for $9.95. The total payment of $59.85 can be made by PayPal or credit-card. Pretty expensive for fake protection.
Conclusion: You can't expect every tweet to lead to an interesting website, but you can expect that some of them will lead to malicious sites. Use your common sense, and don't be a twit when you tweet.
Last month, we were over in Dubrovnik for our 10th anniversary Virus Analyst Summit: five days of presentations, brain-storming, research and interviews. At around the same time, my colleague Christian's article on the dangers of using WiFi networks on holiday was published.
Dubrovnik was full of tourists, as well as all the summit participants and journalists we'd invited, and most people were probably checking their email, using IM, or surfing social networking sites on a regular basis. With this in mind, I decided to do a bit of war-walking to check the security of the town's networks.
A few days walking the narrow streets of the old town resulted in the following data:
84% of networks didn't use any type of authentification
41% of networks didn't use any type of encryption, meaning that any data (including confidential information) could easily be intercepted
44% of networks used WEP encryption, which isn't much better than no encryption - WEP can be cracked in a matter of minutes
Around 10% of networks hid the SSID in order to increase security
It's not surprising that so many of the networks were completely open; Dubrovnik is a tourist town, so a lot of cafes and bars offer free Internet access with the aim of pulling in more customers. These open networks are a classic example of the trade-off between security and usability: although easy-to-use free Internet access seems attractive, the security risks are far higher than those associated with secure networks.
There've been quite a few reports over the last few days about how Erin Andrew's 'naked' video is being used to spread malware, with links to infected sites being sent in spam.
Now there's a new fake video codec being spread on Twitter, with lots of different hash tags being used to push the link. And one of the most popular topics is 'Erin Andrews'.
We detect the malware as Trojan-Downloader.Win32.CodecPack.iow
We've had a number of people contacting us with queries about 'Kaspersky Lab Antivirus Online' after their computer showed them this message:
The short answer is: it's certainly nothing to do with us! It's actually the payload of a primitive piece of ransomware, Trojan-Ransom.Win32.SMSer. The Trojan installs itself to the Windows directory, and shows this message when the computer is rebooted.
The message is a typical ransom demand (the original Russian contains some grammar and spelling mistakes which should act as an immediate red flag) and reads as follows:
Kaspersky Lab Antivirus Online Attention! The Kaspersky Lab Online check shows that a malicious virus, which gradually infects all files on your computer, has been found on your system. The virus has been temporarily blocked, but its encryption algorithm changes constantly and stopping it at the moment without having this program is not possible. In order to delete the malicious virus it's necessary to find out which encryption algorithm the virus has at the moment, in order to do this send an SMS to the short number 6008 with the text '#win1tt5669' (without inverted commas). The cost of the SMS is 6 roubles. Once you have sent the sms, you will immediately be sent a key which disables the virus. Enter this key and the program will completely delete the virus from your computer.
The encryption algorithm will change in 161 seconds. (Once this time has elapsed you are strongly recommended to delete it)
Enter the key you have received in this field:
[Button] Delete
*The program blocks all possible methods for entering Windows, and if the malicious virus is not deleted ALL files on your computer will be infected very quickly. Attention: Re-installing Windows will not change the situation as the virus writes itself to the boot sector of the hard disk.
All this is heavily reminiscent of the scare tactics behind rogue AV solutions, with the added tactic used by Russian and other virus writers of leasing short numbers to make a little illegal money. While the guys behind this Trojan are trying to seem legit by using our name, they seem to have forgotten that no reputable security company would ever stoop to using such methods.
Not everything in the message is true - for instance, sending an SMS won't cost you 6 roubles, but 150 roubles and upwards (around $5), depending on your network. However, the Trojan does block access to Task Manager and other system tools. If you've got Kaspersky Anti-Virus installed, and your databases are up-to-date, you've got no problem - we detect all modifications of this Trojan. If you don't use a Kaspersky Lab product, you can get our free removal utility here to fix your system.
There's less than 4 hours to go until the 40th anniversary of the moon landings. I've been watching the countdown on the Moon Widget on my desktop, and pondering the lack of moon-related spam.
There's been such huge media interest in the run-up to the anniversary, I would have expected cybercriminals to jump on the bandwagon. Not hard to imagine some of the subject lines: 'Exclusive NASA archive footage!' for Apollo 11 fans, or 'The REAL truth about the moon landings!' to tickle the fancy of conspiracy theorists. Stuff like that might almost manage to tempt me - and I work in the security industry! - into opening an attachment from an unknown source.
The spammers seem to have been curiously silent on this topic, and I can't work out why. It seems to me they've missed a trick here which is kind of out of character. Maybe I'm just not cut out to be a spammer?
If you got unsolicited email asking for your employees' personal details, would you respond? Hopefully, you'd have enough sense not to. But what if the email promised some sort of benefit for your employees? This is what one of the most recent Russian mass mailings has been doing.
The messages supposedly come from a government department, and promise medals 'for outstanding work' to those nominated by their organizations. They lay particular stress on these medals being awarded to veterans of the Second World War and other military conflicts. Additionally, the messages promise that a note will be made of the award in the recipient's 'work book'. (This is a passport size book which has to be provided to an employer by the employee. It acts as an official record of employment and the lack of a work book, or a negative record can affect employment prospects.)
In addition to the message itself, there's a form to fill in, which asks for the nominee's personal details: name, date and place of birth, address, place of work etc. etc.
A quick bit of research shows that the message is a fake - the addresses, phone numbers and email addresses aren't connected to any government department, and the legal jargon references points of law which don't actually exist. But if you're a busy employer, and think that by filling in the form your older employees might benefit, you're probably not going to bother to do any research. Exactly what the scammers are counting on.
Spam designed to help the bad guys get their hands on personal data is nothing new. What's interesting about this mass mailing is that it's very clearly targeting pensioners' details. My best guess is these details will then be used by the scammers to trick vulnerable older people out of their homes. Sadly, this is all too common in Russia - for instance several workers in the social care sector in Vladivostok were recently convicted of getting pensioners to sign over their property under false pretences.
This month Microsoft released six security bulletins, three of them rated Critical, three of them rated Important.
The three Critical bulletins are:
1. Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371) 2. Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633) 3. Cumulative Security Update of ActiveX Kill Bits (973346)
The three Important bulletins are:
1. Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856) 2. Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953) 3. Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (969516)
You can find more information here on the Microsoft site.
Here's a summary of the patches released so far in 2009:
Critical
Important
Moderate
January
1
-
-
February
2
2
-
March
1
2
-
April
5
2
-
May
1
-
-
June
6
3
1
July
3
3
1
Patched security vulnerabilities 2009
The use of unpatched vulnerabilities continues to be a significant part of the threat landscape, so it's important to make sure you patch your systems. Remember you can use Windows Automatic Updates to automate this process.
We are currently witnessing a new wave of Koobface messages flooding twitter. The message that is mostly used right now is: "My home video :) <URL>"
The link in infected tweets points to a site with a little javascript.
The script calls a php-script on a server which uses an ID to return an IP address leading to the video site. This means the IP address is different for every request.
Interestingly, the guys behind this attack are clearly out to maximize their ROI: if you're using Mac or Linux, you end up getting redirected to an adult site.
Twitter is saying it may block infected accounts. We're doing our part as well - our users are already protected from the malicious file:
And we've also added protection against the malicious tweet itself, which will be detected as Net-Worm.Win32.Koobface.aqy as updates are rolled out to our users.
As you've probably already heard, there's a dangerous vulnerability in Internet Explorer 6 & Internet Explorer 7 being exploited in the wild. The vulnerability affects Windows XP Service Pack 0 to Service Pack 3. Microsoft hasn't released a patch yet, but they have provided a work-around.
Some people have simply recommended turning off JavaScript to mitigate this issue. However this vulnerability is a trivial buffer overflow which makes it possible to overwrite the SEH handler. Thus, heap spraying is not required and turning off JavaScript only mitigates attacks from less skilled attackers. I put a bit of time into researching this -it very quickly became clear that this vulnerability doesn't rely on JavaScript, i.e. it can be exploited with JavaScript turned off:
The vulnerability allows arbitrary code execution and we therefore strongly recommend that you should apply the workaround from Microsoft's advisory or turn off ActiveX altogether. Otherwise you will be at risk of exploitation of Internet Explorer 6 and Internet Explorer 7.
We've added generic detection for the actual exploit as Exploit.Win32.Direktshow and the often accompanying JavaScript as Exploit.JS.Direktshow.
(08.07, 15.04: edited to correct typo in the Service Pack information.)
Spammers were out in force for the USA’s Independence Day, celebrating the country’s diversity in all its glory, and illustrating Jefferson’s thesis that “all men...are endowed...with certain unalienable rights...Life, Liberty, and the pursuit of Happiness”.
First up was spam confirming the predictions of some security companies predicted that cybercriminals would celebrate the holiday with a spam run spreading Waledac (which we detect as Iksmas). What could be more life-affirming than a firework display? Unfortunately, the spam containing links to a fake YouTube video of the 4th July fireworks also pushed malware onto victim machines.
Next, the spammers exhorted recipients to celebrate freedom of choice by paying big bucks to a diploma mill:
And finally, why not pursue happiness by buying drugs online? This message linked to sites selling Xanax, Valium, Oxycontin and other prescription medications.
While you might get a temporary buzz (assuming the products are genuine) you may also find yourself with a nice little drug habit.
In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing.
As we've said before, Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well.
Normally the increase in the number of malicious programs slows a bit over the summer with lots of people (virus writers, cybercriminals etc.) taking a bit of time off. But in the case of Koobface, the opposite has happened. This is probably because cybercriminals have realized that spreading malware via social networking sites is very effective.
June 2009 is an important milestone in the history of social network malware; the activity we've seen this month far exceeds anything we've previous seen. With everyone who's anyone now having a Facebook page, Twitter account or similar, the pool of potential victims is growing day by day - just take a look at the Alexa stats for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often.
If you’re reading this, you’re probably not a cat, so curiosity won’t kill you. But it can result in someone getting hold of your confidential data.
In my blog about Michael Jackson, I mentioned that Britney Spears had her Twitter account hacked and news of her death posted on her own site. The vulnerability which was exploited has been fixed, the post was deleted, and Britney (or one of her staffers!) has posted saying the singer is alive and well. (I was glad to see that message, because Britney is giving a concert in Russia soon, and tickets are selling fast!)
Britney’s post hasn’t stopped the spammers though – we just picked up the message shown below:
Another prime example of spammers exploiting that vulnerability called “curiosity”. Anyone who’s foolish enough to open the attachment is going to find themselves saddled with Trojan-Spy.Win32.Zbot, a program designed to steal personal data.
Patching technical vulnerabilities is easy; eliminating human vulnerabilities is a lot more difficult.
